CMMC GRC Consultant (Hybrid)

Job Responsibilities Lead initial client scoping engagements: identify people, processes, and assets that interact with CUI and FCI. Build RACI accountability matrices and data flow diagrams. Determine enclave architecture recommendations (GCC, GCC High, hybrid, on-prem, full environment) in collaboration with Security Engineers based on where CUI/FCI resides in the client environment. Conduct comprehensive gap assessments against all 320 objectives across 110 controls of NIST SP 800-171 Rev 2. Score each objective as Met, Not Met, or Partially Met. Calculate and submit SPRS scores. Create detailed Plans of Action and Milestones (POA&Ms) from gap assessment findings. Prioritize remediation tasks and define milestones, resource requirements, and completion dates. Translate gap assessment findings into specific, actionable remediation tasks mapped to Azure/M365 components using the team’s Control-Task Tracker. Each task must include enough detail that a Security Engineer can execute without further interpretation. Develop and maintain System Security Plans (SSPs) documenting all 110 controls, implementation status, system boundaries, data flows, and organizational policies. Create and maintain the full CMMC compliance policy library: access control policy, incident response plan, configuration management policy, audit policy, media protection policy, and all other required policy and procedure documents. Manage the evidence collection process. Define what evidence is needed per control, coordinate with Security Engineers to capture technical evidence, and organize the evidence repository. Conduct internal readiness reviews and mock assessments prior to C3PAO engagement. Identify remaining gaps and drive remediation to closure. Support clients during C3PAO Level 2 assessments: answer assessor questions, locate evidence, provide clarifications, and coordinate responses to findings. Manage 4-7 concurrent client engagements at various stages of the CMMC lifecycle. Train client staff on security policies, acceptable use, CUI handling procedures, and incident reporting obligations. Job Qualifications 3+ years of experience in cybersecurity compliance, GRC, or IT audit roles. Direct experience with NIST SP 800-171 and/or the CMMC framework. Must be able to discuss the 14 control families and their requirements without relying on reference materials. Experience writing System Security Plans (SSPs), POA&Ms, and compliance documentation for federal contractors or defense industrial base (DIB) organizations. Experience conducting gap assessments or security assessments against a recognized framework (NIST 800-171, NIST 800-53, FedRAMP, ISO 27001, or similar). Working knowledge of Microsoft 365 and Azure at a conceptual level. Does not need to configure Sentinel or Conditional Access, but must understand what these tools do and which CMMC controls they satisfy. Preferred Experience Experience supporting C3PAO assessments (either as the assessed organization or as a consultant). Familiarity with DFARS 7012, ITAR, and EAR requirements and how they affect CUI scope. Experience with GRC platforms (e.g., RegScale, CORA, Totem, PreVeil, or similar). Prior MSP or consulting experience managing multiple concurrent clients. Experience with Microsoft Compliance Manager and Purview for compliance tracking and evidence. Required Certification (at least one; additional required within timeline): CMMC Certified Professional (CCP) - Required. Must hold at hire or obtain within 6 months. CMMC Certified Assessor (CCA) - Strongly preferred at hire. Required within 12 months of hire. CMMC Registered Practitioner (RP) - Accepted as starting credential if pursuing CCP/CCA on defined timeline. Preferred Certifications (any combination adds value): CompTIA Security+ (SY0-701) Certified Information Systems Security Professional (CISSP) Certified Information Security Manager (CISM) Certified Information Systems Auditor (CISA) NIST Risk Management Framework (RMF) training or certification CompTIA CySA+ Skills & Competencies Exceptional technical writing: SSPs, policies, and compliance documents must be clear, thorough, and assessment-ready. Strong client communication: ability to explain complex compliance requirements to non-technical business owners and executives in plain language. Task decomposition: ability to take a high-level control gap (e.g., "AC.L2-3.1.3 Not Met") and break it into 5-10 specific, actionable remediation tasks with enough detail for a technician to execute. Project management: manage multiple clients, track deadlines, escalate blockers, and maintain visibility across all active engagements. Attention to detail: CMMC assessments are evidence-based. Missing or incomplete evidence can fail a control regardless of implementation quality. Ability to work independently while coordinating with Security Engineers, client stakeholders, and firm leadership. Benefits Medical Insurance Plan Dental & Vision Life Insurance Disability Coverage Paid Time Off (starts at 15 days per year) Maternity/Paternity Leave Paid US Holiday Retirement Plan Salary Advancement/Loan Health & Wellness Program Company-paid training and certification Supplemental Life Insurance (Employee-paid) Supplemental Health Plans (Employee-paid)

{
  "content_hash": "46b7c220acd692bf530d6d450d38fa01b4f33f30360eae63e763a40ece6ba439",
  "source_hash": "9aaa90aa272c6d66ed821aaaf37db9be9a52db95436642efad06f7e9f4d9b9df",
  "last_changed_at": "2026-06-03T10:55:55.599Z",
  "active_status": "deleted"
}

{
  "language": "en",
  "location": {
    "raw": "Remote - US",
    "city": null,
    "region": null,
    "country": "United States",
    "is_remote": true,
    "confidence": 0.95
  },
  "salary_max": null,
  "salary_min": null,
  "inferred_at": "2026-06-01T10:20:33.678Z",
  "launch_scope": {
    "reason": "english_us_canada",
    "included": true,
    "language": "en",
    "location": {
      "raw": "Remote - US",
      "city": null,
      "region": null,
      "country": "United States",
      "is_remote": true,
      "confidence": 0.95
    },
    "countries": [
      "United States"
    ]
  },
  "remote_policy": "remote",
  "salary_period": null,
  "workplace_type": "remote",
  "salary_currency": null
}

{}

{
  "title": "CMMC GRC Consultant (Hybrid)",
  "offices": [
    {
      "id": 4039195003,
      "name": "Remote - US",
      "location": null,
      "child_ids": [],
      "parent_id": null
    }
  ],
  "language": "en",
  "location": {
    "name": "Remote - US"
  },
  "metadata": [],
  "updated_at": "2026-04-16T20:04:05-04:00",
  "departments": [
    {
      "id": 4040890003,
      "name": "Operations - Cybersecurity",
      "child_ids": [],
      "parent_id": null
    }
  ],
  "company_name": "Intelligent Technical Solutions",
  "requisition_id": 5750161003,
  "first_published": "2026-04-13T17:22:51-04:00",
  "application_deadline": null
}